| From: | Frank Gard <frank(dot)von(dot)postgresql(dot)org(at)familie-gard(dot)de> |
|---|---|
| To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: proper pg_hba config to require ssl from non-local/private ips |
| Date: | 2022-10-19 16:26:56 |
| Message-ID: | fb8768ca-6d01-b7f6-57fb-d04ad089dd80@familie-gard.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi Jeff,
Am 19.10.22 um 17:47 schrieb Jeff Janes:
> On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
>
> This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?
>
>
> Did you reload the server configurations after changing the file? What is the address of that non-local host, as seen by the server? (you can check the first with `select * from pg_hba_file_rules`,
unfortunately that's not true, at least up to Pg v14 (I don't know if they've changed this IMHO "unexpected" behaviour in the meantime). The pg_hba_file_rules seems to be just an SQL frontend to the hba-file's content and does not(!) reflect the currently active
configuration. So you can see your changes before the are activated, e.g. by calling pg_reload_conf().
> […]
Cheers,
Frank.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthew Lenz | 2022-10-19 16:29:26 | Re: proper pg_hba config to require ssl from non-local/private ips |
| Previous Message | Matthew Lenz | 2022-10-19 16:26:20 | Re: proper pg_hba config to require ssl from non-local/private ips |